Beta
Secure a self-hosted node
Protect the host, administrative boundary, signing material, payment integrations, backups, and recovery path as one system.
Minimum operator baseline
- Use a dedicated, patched host and least-privilege service account.
- Keep admin APIs private by default; add TLS, authentication, rate limits, and network policy before remote exposure.
- Protect seed phrases, private keys, API tokens, webhook secrets, and backups independently.
- Review every chain RPC, indexer, plugin, webhook, and delivery integration as a hostile input boundary.
- Monitor health, storage, failed authentication, payment observation, webhook delivery, and unexpected capability changes.
- Test restore and rollback before a release or infrastructure change.
Financial boundaries
- Only Core policy may change payment, refund, dispute, or settlement state.
- Extensions and external services must not receive raw seed phrases or private keys.
- A payment observation is not permission to settle; expected state, identity, amount, confirmations, and idempotency still apply.
- Disabling an unhealthy capability must fail closed rather than silently select a different financial behavior.
Report vulnerabilities privately
Do not open a public issue for a suspected vulnerability, leaked credential, signing-key concern, or exploit. Use GitHub private vulnerability reporting from the affected repository's Security tab.